Reputation: 9044
How unique is the HttpSession ID?
I am going to uniquely identify a user by storing a unique ID in his/her cookie. HttpSession ID is a good choice from my google search. Just wanted to know how unique it is ? Is it unique to the webcontainer or once it expires , will it get regenerated ? If it repeats, all my user login can go for a toss.Need some expert opinion on using sessonID as a unique identifier for my users.
Upvotes: 7
Views: 6214
Answers (2)
Reputation: 691715
A session ID must uniquely identify a session on a server, or on a cluster of servers. You don't have any guarantee of uniqueness across restarts. Why don't you simply use a database sequence, or a UUID?
Upvotes: 2
Reputation: 359786
Session IDs are unique and meaningful only for the lifetime of a session. A session ID identifies a session: nothing more, nothing less. It does not identify a user.
You cannot and should not rely on session IDs ever being reused, let alone for the same user.
Upvotes: 8
Related Questions
- Java multiple HttpSession IDs for the same user
- Which one is responsible for the generation of http session ID? The client browser, the server, or both?
- How does a tomcat server identify clients for creating session id
- Custom ID in session handling by Java Servlet API
- What prevents HttpSession's id from being stolen?
- Session ID re-used after call to invalidate
- java session id structure from HttpServletRequest
- How unique is HttpSession.getId()?
- Can a Servlet get HTTPS session id?
- How to obtain an HttpSession Object from SessionID?